Implementing DKIM in Zentyal MTA with SoGO

To implement this authentication mechanism, you can use a third party software called OpenDKIM. These are the steps you have to follow to deploy DKIM.

1. Install the necessary packages:

sudo apt-get install -y opendkim opendkim-tools

2. Create the folder for the DKIM keys:

sudo mkdir -vp /etc/opendkim/keys

3. Generate the DKIM keys:

sudo opendkim-genkey -s mail -d zentyal-domain.lan -D /etc/opendkim/keys

4. Configure the folder permissions:

chown -R opendkim:opendkim /etc/opendkim/
sudo chmod 0640 /etc/opendkim/keys/*.private

5. Create the /etc/opendkim/TrustedHosts configuration file, where you indiate the trusted hosts:

127.0.0.1
localhost
192.168.6.0/24
*.zentyal-domain.lan

6. Create the /etc/opendkim/SigningTable configuration file that will contain the domain and subdomains which will be signed by DKIM:

*@zentyal-domain.lan mail

7. Define the selector name and the path of the private key to sign the /etc/opendkim/KeyTable configuration file:

mail zentyal-domain.lan:mail:/etc/opendkim/keys/mail.private

8. Once you have finished defining these configuration files, you have to create the main OpenDKIM configuration file located in the /etc/opendkim.conf:

Mode sv
PidFile /var/run/opendkim/opendkim.pid
UserID opendkim:opendkim
Socket inet:8891@127.0.0.1
SignatureAlgorithm rsa-sha256
AutoRestart Yes
AutoRestartRate 10/1h
Syslog yes
SyslogSuccess yes
LogWhy Yes
UMask 002
OversignHeaders From
Canonicalization relaxed/simple

ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
Signingtable refile:/etc/opendkim/SigningTable

9. Next, you have to establish the address and listening port of DKIM in the /etc/default/opendkim configuration file:

SOCKET="inet:8891@127.0.0.1"

10. To finish the OpenDKIM configuration, you have to start the service and enable it:

sudo systemctl restart opendkim
sudo systemctl enable opendkim

11. Then you will have to add the following configuration parameters to the /usr/share/zentyal/stubs/mail/main.cf.mas configuration template of the Mail module to use OpenDKIM:

## DKIM Configuration
milter_protocol = 6
milter_default_action = accept
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = inet:127.0.0.1:8891

Warning

You have to carefully read the Zentyal documentation on stubs to make the change persistent to module updates.

12. Restart the Mail module to apply the changes:

sudo zs mail restart

13. Then you will have to add the TXT record to the DNS module with the content of the /etc/opendkim/keys/mail.txt configuration file. An example of its content:

mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyn66wkANz7H
Gd2KvNadQnPRH7g4uU2Ur54VBxG8VFJJcHNCj/D3c8gAqh6kb/B8ZVQ5o
G7+1w7KLZJUKwYhPUaYZ3t8CUQOI1+klhSAJGOQRqpUkAGQcEBhSuQFBA
R057j/UZrUcwBZTONp5LrhqLWw0duC2G8UaWDdxzIyugYplzZUmtzMqzx
4jo9sjH3cRc/1kNRg7lzzvay" "Q/PxyxpEFGxsx8A6AJe0lZBbntSgXt
d3ycnVmgIlX1nn9FHJkA8/xrFcN4tyu5GHGv/zPzC9a6ah73AKNL1P+u4
yqGGBrLNkJ7ERLmmLuIOAdNisBKj9u93cT9ba7V1LD39xHiwwIDAQAB" )
; ----- DKIM key mail for zentyal-domain.lan

14. And the command [22] to add this particular record:

samba-tool dns add zentyal.zentyal-domain.lan zentyal-domain.lan \
mail._domainkey.zentyal-domain.lan TXT '"v=DKIM1; h=sha256; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyn66wkANz7HGd2KvNad
QnPRH7g4uU2Ur54VBxG8VFJJcHNCj/D3c8gAqh6kb/B8ZVQ5oG7+1w7KLZJUKwYhP
UaYZ3t8CUQOI1+klhSAJGOQRqpUkAGQcEBhSuQFBAR057j/UZrUcwBZTONp5LrhqL
Ww0duC2G8UaWDdxzIyugYplzZUmtzMqzx4jo9sjH3cRc/1kNRg7lzzvay" "Q/Pxy
xpEFGxsx8A6AJe0lZBbntSgXtd3ycnVmgIlX1nn9FHJkA8/xrFcN4tyu5GHGv/zPz
C9a6ah73AKNL1P+u4yqGGBrLNkJ7ERLmmLuIOAdNisBKj9u93cT9ba7V1LD39xHiw
wIDAQAB"'

Warning

Pay attention to the content of the file before adding the TXT record.

15. Finally, to confirm that the record has been successfully added to the domain, one of the most recommended ways is to use the MXtoolbox website . When sending an email, you should see an excerpt similar to this in the header of the message:

Src: 
https://doc.zentyal.org/en/mail.html

Share

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.